- dotastoc.com/442417.js?sid=bWtuamJoX2NvZmZlZS1jODMuZG90YXN0b2MuY29t [188.8.131.52, Germany - Netdirekt E.k]
- mknjbhyju.exxl.pl/coffee-c83/xalei.html [184.108.40.206, Ohio - XLHost.com Inc]
- mknjbh_coffee-c83.dotastoc.com/index.html ?Ref=http%3A%2F%2Fwww.google.co.uk %2Fsearch%3Fhl%3Den%26q%3D[redacted]%26btnG%3DSearch%26meta%3D
- myth-busters.cn/go.php?id=2009-01&key=cd19f5036&p=1 [220.127.116.11, Netherlands - Ecatel]
- 09computerquickscan.com [multihomed at 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, Germany Hetzner Online AG]
Lots of suspect IP addresses there, 220.127.116.11 is the first step and also hosts these following domains that also look suspect:
Update: answers.com appear to have tracked down and removed the ad, although some other sites have been hit by a very similar attack.